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The  Problem 


There  is  a  lot  of  malicious  software 

•  Hundreds  of  thousands  of  new,  unique  samples 
collected  globally 

But  malware  analysis  is  a  time-consuming  process 

•  And  human-intensive 

So  we  need  better  automation  to  understand  the 
threat. 

•  Automated  static  analysis  of  artifacts 

•  Large-scale  analysis  of  indicators 
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Malware  Analysis  Process 
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static  Analysis  Improvements 


1 .  Compiler  transformation  framework 
.  ROSE  [Quinlan  2000] 

•  Well-established  program  analysis  technique 
Implemented  to  analyze  malware  binaries  at  a  larger  scale 

2.  Optimize  suffix-tree  data  structures  for  the  identification  of 
longest  common  substring  (LOS) 

We  do  substring  searches  a  lot,  and  it  takes  a  long  time 

Helps  with: 

•  Malicious  code  analysis  (code-clones) 

•  Zero-suppressed  binary  decision  diagrams  (ZDDs)  for 
compact  representations  of  set  families. 
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Dynamic  Analysis  Improvements 

Malicious  Behavior  and  Model  Checking:  Describe 

formally  software  behavior  and  be  able  to  determine  if 

the  behavior  is  malicious. 

1.  Construct  an  accurate  binary  instrument  for  trace 
capture  (trace  monitor) 

2.  Use  trace  monitor  to  capture  benign  and  malicious 
software  behavior  (collect  trace  data) 

3.  Analyze  trace  data  to  determine  features  that  link 
software  by  behavior. 

4.  Formally  model  methods  to  classify  software  traces 
as  malicious  or  benign  within  the  formal  language  of 
hyperproperties. 
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Indicator  Analysis  Improvements 


Lead  by  doing  Discovery  at  Scale 

Passive  detection  of  Misbehaving  Name  Servers 

Route  Injections  -  What  are  they  good  for? 

Everything  You  Wanted  to  Know  About  Blacklists  but  Were 
Afraid  to  Ask 


Lead  by  codifying  theory  and  models 


Game  theory 

Metrics 

Take-down 

models 


architect 
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Global  Improvements 


How  do  we  analyze  and  design  observations  of 
engineered  artifacts? 

Usually,  a  scientist  would  turn  to  philosophy  of  science 
to  answer  methodological  questions 

But  there  were  no  answers  in  the  philosophy  literature 

•  Thus  our  paper  "Exploring  a  Mechanistic  Approach 
to  Experimentation  in  Computing." 

Computing  is  new  and  old 

•  Newer  -  study  of  engineered  mechanisms 

•  Old  -  study  of  physical  mechanisms 

Accommodating  these  differences  presents 
fundamental  challenges  we  are  just  unravelling. 
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Future 


This  line-funded  work  was  not  renewed  per  se 
The  work  will  be  continued  as: 

•  Customer-funded  deliverables 

•  New  directions  within  LENS  work 
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Contact  Information 

Ed  Stoner 

Senior  Member  of  the  Technical  Staff 
CERT/CC  -  Threat  Analysis 
Telephone:  +1  (412)268-6187 
Email:  ers@cert.org 


Web 

www.sei.cmu.edu 

www.sei.cmu.edu/contact.cfm 


U.S.  Mail 

Software  Engineering  Institute 
Customer  Relations 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-2612 
USA 

Customer  Relations 

Email:  info@sei.cmu.edu 
Telephone:  +1  412-268-5800 

SEI  Phone:  +1  412-268-5800 

SEI  Fax:  +1  412-268-6257 


_  _  _  Fall  2014  SEI  Research  Review 

Software  Engineering  Institute  Carnegie  Mellon  University  j.  spring;  October  29, 2014  12 

©2014  Carnegie  Mellon  University 


References 


Quinlan,  D.  “ROSE:  A  Preprocessor  Generation  Tool  for  Leveraging  the 
Semantics  of  Parallel  Object-Oriented  Frameworks  to  Drive 
Optimizations  via  Source  Code  Transformations,”  383-397.  Proc.  Eighth 
Inti  Workshop  on  Compilers  for  Parallel  Computers  (CPC  ‘00).  Aussois, 
France,  Jan.  2000,  Ecole  Normale  Superieure,  2000. 


_  _  Fall  2014  SEI  Research  Review 

Software  Engineering  Institute  Carnegie  Mellon  University  j.  spring;  October  29, 2014  13 

©2014  Carnegie  Mellon  University 


